Apple said the flaw had been partially fixed in iOS 9 (pushed out last fall), but will end up completely removed in iOS 9.3, which released Monday.

A team of Johns Hopkins University researchers headed by computer science professor Matthew Green were able to execute a successful attack by targeting iPhones that are still not using the latest version of the mobile OS.

The were able to create software that imitates an Apple server, and then they intercepted an encrypted iMessage that contained a link to the photo stored in Apple’s iCloud server, and a 64-digit key to decrypt the photo.

The digits and letters in the key weren’t visible, but the vulnerability allowed the researchers to repeatedly send test keys back to the phone, and it would accept the guessed digits or letters and reject those that weren’t the correct ones. After a great many guesses, they discovered/compiled the entire key.

Green said a modified version of the attack would also work on later operating systems, but only highly skilled attackers would likely to be able to pull it off.

One of the Johns Hopkins researchers said the vulnerability is not in how Apple stores or encrypts attachments.

“Even Apple, with all their skills — and they have terrific cryptographers — wasn’t able to quite get this right. So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right,” Green said